This blog is totally independent, unpaid and has only three major objectives.
The first is to inform readers of news and happenings in the e-Health domain, both here in Australia and world-wide.
The second is to provide commentary on e-Health in Australia and to foster improvement where I can.
The third is to encourage discussion of the matters raised in the blog so hopefully readers can get a balanced view of what is really happening and what successes are being achieved.

Monday, April 07, 2014

DoH and NEHTA Are Working To Fix PCEHR Security Issues.

No names and no pack drill but 3 facts regarding the PCEHR are now clear.

1. There is a serious security issue with the PCEHR.

2. NEHTA, Accenture and DoH are aware and are working to see how they can fix it.

I think this is unreasonable. A potential flaw has been found. Under a set of obscure conditions, it could be used to gain access to information and/or privileges that the user viewing a PCEHR document has.

It is being taken seriously, that's for sure. But it's very far from being a serious issue.

"And by the way the system has been operating for two years now without an incident"

You're kidding right!

The "existence" of the PCEHR can hardly be construed with "operating" as it would require "substantial" utilisation to be seriously considered as anywhere near "operating"... Consuming taxpayers funds for NO Value creation doesn’t count as “Operating” either!

And by the way, the PCEHR will firstly need to contain something of Value before it attracts serious scrutiny, probing and the compromise of its conventional security defences.

The current user "registration" records and duplicate DOHA MBS and PBS data is hardly the giant honeypot most people make it out to be.

Yes David, transparency is the greatest defence mechanism that Open Source software demonstrates every second of every day...

I think this is unreasonable. A potential flaw has been found. Under a set of obscure conditions, it could be used to gain access to information and/or privileges that the user viewing a PCEHR document has.

It is being taken seriously, that's for sure. But it's very far from being a serious issue."

Thanks for that. It's being taken seriously but the punters need not worry!

Either a system with 1.5 million enrolees is compromised or not. Seems it is.

The key issue here is when there will be an announcement that the issues are understood and addressed for public confidence to be restored.

No, it's not that simple at all, it's not a binary choice. Even for a single application, let alone a system of systems. There are many many systems, multiple version, mostly closed source, that can view documents from the pcEHR. Any of these may be affected, but we don't know what the effect would be.

You ask when there'll be announcement. I presume that you don't think that such an announcement should happen before the issues are actually known and addressed. Perhaps you just think that the timeline for that should be known in advance?

"You ask when there'll be announcement. I presume that you don't think that such an announcement should happen before the issues are actually known and addressed. Perhaps you just think that the timeline for that should be known in advance?

Come on, David, really..."

Yup really, given there is an issue that has become public I think there should be an announcement that the problem is recognised and is being addressed and in the mean time the access to the system has been restricted to ensure the exploits are not able to be abused.

Yes without Grahame and this column we would all be left in the dark. At least someone lets us know what is happening. The system operator treats us with contempt by not informing us, causing speculation and mistrust. The poor start to the pcehr left us all worrying about bad design and inadequate system management. It would be better to be simply open and honest.

"And by the way the system has been operating for two years now without an incident"

This is manifestly untrue. Many incidents around data quality have been reported by members of the press (remember the pulse IT reporter) and the public.

There is absolute secrecy around any formal incident reports that are sent to the PCEHR clinical governance committee operating from the Commission for Quality and Safety. We are not told how many reports there are per month, how serious they are, and what was down to make them safe.

I guess these are "operational" or "on the water" matters and we just don't need to know.

Can I suggest that from an IT perspective, it's a technical, system security issue. It's also a serious matter which if left unresolved could result in bad things arising. These things happen and get fixed.

From an information management perspective, it's a trust issue, to be added to all the other trust issues still outstanding.

Nobody's information has been compromised (as far as we know) so the matter will disappear into the noise.

Those who are against the system will still be against it. Those who promote it will continue to do so. Those who don't care will continue to not care. Will it change anyone's mind about the system? I doubt it.